CSRF Tokens

LiveHelperChat · Aug 25, 2021 · f7584a2 · f7584a2
1 parent ee36bf5
commit f7584a2
Show file tree

Hide file tree

Showing 20 changed files with 70 additions and 34 deletions.
diff --git a/lhc_web/design/defaulttheme/js/admin/dist/5.07d5fed071fa31a93f1e.js b/lhc_web/design/defaulttheme/js/admin/dist/5.07d5fed071fa31a93f1e.js
diff --git a/lhc_web/design/defaulttheme/js/admin/dist/5.07d5fed071fa31a93f1e.js.map b/lhc_web/design/defaulttheme/js/admin/dist/5.07d5fed071fa31a93f1e.js.map
diff --git a/lhc_web/design/defaulttheme/js/admin/dist/5.212dc9dcae73358ed7d1.js b/lhc_web/design/defaulttheme/js/admin/dist/5.212dc9dcae73358ed7d1.js
diff --git a/lhc_web/design/defaulttheme/js/admin/dist/5.212dc9dcae73358ed7d1.js.map b/lhc_web/design/defaulttheme/js/admin/dist/5.212dc9dcae73358ed7d1.js.map
diff --git a/lhc_web/design/defaulttheme/js/admin/dist/react.admin.app.js b/lhc_web/design/defaulttheme/js/admin/dist/react.admin.app.js
diff --git a/lhc_web/design/defaulttheme/js/admin/dist/react.admin.app.js.map b/lhc_web/design/defaulttheme/js/admin/dist/react.admin.app.js.map
diff --git a/lhc_web/design/defaulttheme/js/admin/src/components/GroupChat.js b/lhc_web/design/defaulttheme/js/admin/src/components/GroupChat.js
@@ -8,6 +8,8 @@ import useInterval from "./lib/useInterval";
 import {groupChatSync} from "./lib/groupChatSync";
 import {useTranslation} from 'react-i18next';
 
+axios.defaults.headers.common['X-CSRFToken'] = confLH.csrf_token;
+
 function reducer(state, action) {
     switch (action.type) {
         case 'increment':

diff --git a/lhc_web/design/defaulttheme/js/angular.lhc.js b/lhc_web/design/defaulttheme/js/angular.lhc.js
@@ -12,13 +12,17 @@ lhcAppControllers.config(['$compileProvider', function ($compileProvider) {
     $compileProvider.debugInfoEnabled(false);
 }]);
 
+lhcAppControllers.run(['$http', function ($http) {
+    $http.defaults.headers.common['X-CSRFToken'] = confLH.csrf_token;
+}]);
+
 angular.element(document).ready(function(){
     var element = angular.element(document.querySelector("form"));
     element.triggerHandler("$destroy");
 });
 
 services.factory('LiveHelperChatFactory', ['$http','$q',function ($http, $q) {
-	
+
 	this.loadChatList = function(filter){
 		var deferred = $q.defer();		
 		$http.get(WWW_DIR_JAVASCRIPT + 'chat/syncadmininterface' + filter).then(function(data) {

diff --git a/lhc_web/design/defaulttheme/js/angular.lhc.min.js b/lhc_web/design/defaulttheme/js/angular.lhc.min.js
diff --git a/lhc_web/design/defaulttheme/js/js_static/53daa665fc5c26fd753c137cf4fa07b7.js b/lhc_web/design/defaulttheme/js/js_static/53daa665fc5c26fd753c137cf4fa07b7.js
diff --git a/lhc_web/design/defaulttheme/js/js_static/53daa665fc5c26fd753c137cf4fa07b7.js.map b/lhc_web/design/defaulttheme/js/js_static/53daa665fc5c26fd753c137cf4fa07b7.js.map
diff --git a/lhc_web/design/defaulttheme/js/js_static/cb79ca73cf9d378d7c3530fbe6765ae2.js b/lhc_web/design/defaulttheme/js/js_static/cb79ca73cf9d378d7c3530fbe6765ae2.js
diff --git a/lhc_web/design/defaulttheme/js/js_static/cb79ca73cf9d378d7c3530fbe6765ae2.js.map b/lhc_web/design/defaulttheme/js/js_static/cb79ca73cf9d378d7c3530fbe6765ae2.js.map
diff --git a/lhc_web/design/defaulttheme/js/js_static/d2012e174bb7dc98cdfd4c4a1a12008c.js b/lhc_web/design/defaulttheme/js/js_static/d2012e174bb7dc98cdfd4c4a1a12008c.js
diff --git a/lhc_web/design/defaulttheme/js/js_static/d2012e174bb7dc98cdfd4c4a1a12008c.js.map b/lhc_web/design/defaulttheme/js/js_static/d2012e174bb7dc98cdfd4c4a1a12008c.js.map
diff --git a/lhc_web/modules/lhgroupchat/cancelinvite.php b/lhc_web/modules/lhgroupchat/cancelinvite.php
@@ -6,6 +6,11 @@
 $db->beginTransaction();
 
 try {
+
+    if (!isset($_SERVER['HTTP_X_CSRFTOKEN']) || !$currentUser->validateCSFRToken($_SERVER['HTTP_X_CSRFTOKEN'])) {
+        throw new Exception('Invalid CSRF token!');
+    }
+
     $item = erLhcoreClassModelGroupChat::fetch($Params['user_parameters']['id']);
 
     erLhcoreClassGroupChat::cancelInvite($item->id, $Params['user_parameters']['op_id']);

diff --git a/lhc_web/modules/lhgroupchat/inviteoperator.php b/lhc_web/modules/lhgroupchat/inviteoperator.php
@@ -6,6 +6,11 @@
 $db->beginTransaction();
 
 try {
+
+    if (!isset($_SERVER['HTTP_X_CSRFTOKEN']) || !$currentUser->validateCSFRToken($_SERVER['HTTP_X_CSRFTOKEN'])) {
+        throw new Exception('Invalid CSRF token!');
+    }
+
     $item = erLhcoreClassModelGroupChat::fetchAndLock($Params['user_parameters']['id']);
 
     erLhcoreClassGroupChat::inviteOperator($item->id, $Params['user_parameters']['op_id'], ($item->type == erLhcoreClassModelGroupChat::SUPPORT_CHAT ? erLhcoreClassModelGroupChatMember::SUPPORT_CHAT : erLhcoreClassModelGroupChatMember::NORMAL_CHAT));

diff --git a/lhc_web/modules/lhgroupchat/leave.php b/lhc_web/modules/lhgroupchat/leave.php
@@ -6,6 +6,11 @@
 $db->beginTransaction();
 
 try {
+
+    if (!isset($_SERVER['HTTP_X_CSRFTOKEN']) || !$currentUser->validateCSFRToken($_SERVER['HTTP_X_CSRFTOKEN'])) {
+        throw new Exception('Invalid CSRF token!');
+    }
+
     $item = erLhcoreClassModelGroupChat::fetchAndLock($Params['user_parameters']['id']);
 
     $groupChatMember = erLhcoreClassModelGroupChatMember::findOne(array('filter' => array('user_id' => $currentUser->getUserID(), 'group_id' => $Params['user_parameters']['id'])));

diff --git a/lhc_web/modules/lhgroupchat/newgroupajax.php b/lhc_web/modules/lhgroupchat/newgroupajax.php
@@ -6,29 +6,39 @@
 
 if (isset($payload['name']) && $payload['name'] != '') {
 
-    // Create a group chat
-    $item = new erLhcoreClassModelGroupChat();
-    $item->name = $payload['name'];
-
-    if ($currentUser->hasAccessTo('lhgroupchat','public_chat')) {
-        $item->type = isset($payload['public']) && $payload['public'] == 1 ? 1 : 0;
-    } else {
-        $item->type = 1;
+    try {
+        if (!isset($_SERVER['HTTP_X_CSRFTOKEN']) || !$currentUser->validateCSFRToken($_SERVER['HTTP_X_CSRFTOKEN'])) {
+            throw new Exception('Invalid CSRF token!');
+        }
+
+        // Create a group chat
+        $item = new erLhcoreClassModelGroupChat();
+        $item->name = $payload['name'];
+
+        if ($currentUser->hasAccessTo('lhgroupchat','public_chat')) {
+            $item->type = isset($payload['public']) && $payload['public'] == 1 ? 1 : 0;
+        } else {
+            $item->type = 1;
+        }
+
+        $item->user_id = $currentUser->getUserID();
+        $item->time = time();
+        $item->saveThis();
+
+        // Create a member
+        $newMember = new erLhcoreClassModelGroupChatMember();
+        $newMember->user_id = $item->user_id;
+        $newMember->group_id = $item->id;
+        $newMember->last_activity = time();
+        $newMember->jtime = time();
+        $newMember->saveThis();
+
+        echo json_encode($item);
+    } catch (Exception $e){
+        http_response_code(400);
+        echo json_encode(array('error' => true, "messages" => $e->getMessage()));
     }
 
-    $item->user_id = $currentUser->getUserID();
-    $item->time = time();
-    $item->saveThis();
-
-    // Create a member
-    $newMember = new erLhcoreClassModelGroupChatMember();
-    $newMember->user_id = $item->user_id;
-    $newMember->group_id = $item->id;
-    $newMember->last_activity = time();
-    $newMember->jtime = time();
-    $newMember->saveThis();
-
-    echo json_encode($item);
 } else {
     http_response_code(400);
     echo json_encode(array('error' => true));

diff --git a/lhc_web/modules/lhgroupchat/startchatwithoperator.php b/lhc_web/modules/lhgroupchat/startchatwithoperator.php
@@ -11,6 +11,11 @@
 $db->beginTransaction();
 
 try {
+
+    if (!isset($_SERVER['HTTP_X_CSRFTOKEN']) || !$currentUser->validateCSFRToken($_SERVER['HTTP_X_CSRFTOKEN'])) {
+        throw new Exception('Invalid CSRF token!');
+    }
+
     // We need to find a private chat where only we are the members with another operator
     $sql = "SELECT DISTINCT `lh_group_chat`.`id`,count(`lh_group_chat_member`.`id`) as `tm_live` FROM `lh_group_chat`
 INNER JOIN lh_group_chat_member ON `lh_group_chat_member`.`group_id` = `lh_group_chat`.`id`